Key takeaways from Singapore healthcare data breach

No system is infallible and cybersecurity breaches are inevitable, but Singapore needs to do better in mitigating the risks and following through on its pledge to safeguard citizen data.

This week, Singapore is reminded again that no matter how much we talk about how highly aware we are about the importance of cybersecurity and how we must put stronger focus on securing our systems, that our seemingly highly-focused highly-secured infrastructures will be breached.

It's not a question of if, but a question of when. We've heard that often enough from security experts sounding the alarm on why organisations need to prepare their networks not just to fend off attacks, but also to be able to quickly recover from a breach.

Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including PM

Government describes attack as "deliberate, targeted, well-planned" and assures no medical data has been tempered with, but security vendors warn compromised data may end up for sale on the Dark Web.

Read More

So it's not just a question of when. It's also a question of what and how we respond when our systems have been infiltrated.

This week, 1.5 million in Singapore found out just how well, or not, their healthcare provider uncovered and reacted to a serious cyberattack.

The operator of the country's largest group of healthcare institutions, SingHealth revealed that non-medical personal data of 1.5 million patients had been "accessed and copied", including their national identification number, address, and date of birth. In addition, outpatient medical data of 160,000 patients were compromised.

According to the authorities, no other patient records such as diagnosis, test results or doctors' notes, were breached and tampered with, and there were no evidence of a similar breach in other local public healthcare IT systems.

Detection cannot come only after a week

What I personally found troubling was the fact that it took a week after data had been breached before the first sign of "unusual activity" was detected on July 4, 2018, by the Integrated Health Information Systems (IHiS), which is responsible for running Singapore's public healthcare institutions' IT systems.

It was later established that data had been "exfiltrated" from June 27--a full week before the IHiS picked up on the abnormal activities in the network. The agency said it was able to stop the illegal activities "immediately" after the July 4 discovery.

That also meant the hackers were able to walk away with--specifically, "accessed and copied"--packet-loads of data belonging to 1.5 million patients as well as access outpatient medical data of another 160,000, undetected for a week.

Some may commend the relatively short timeframe, well, sure, if you compared that to past studies that revealed most organisations took six months to detect a breach.

However, a week is simply not good enough for a country that has been one of the most progressive "smart nations" and amongst the early adopters of new technologies and digital transformation.

And healthcare isn't most organisations. This time, hackers walked away with just personal data. Think of what cyberterrorists could have done, given the luxury of a week, if they had succeeded in infiltrating and bringing down critical healthcare systems.

With businesses fumbling, Singapore must take more care in data aspirations

Singapore government has been opening up user data access to ease information exchange and business transactions, but it should observe some caution as major organisations continue to slip up over security.

Read More

Surely, better detection tools, especially when coupled with artificial intelligence and machine learning, would have been able to identify an unusual daily level of data access, and duplication, and raise an alarm sooner than a week?

Such capabilities would be even more important given, as some security experts have highlighted, healthcare environments are highly heterogeneous with various devices and systems in place and not necessarily operating with uniform cybersecurity effectiveness.

Essentially, it's an IoT minefield and a nightmare for network administrators, unless they have the right automation and detection tools in place to help them mitigate potential risks.

Users not adequately empowered to exercise good security hygiene

The Singapore government also often underscores the integral role citizens play in practising good cyber hygiene and learning to safeguard their own data.

However, there is little point in raising public awareness when little is being done to empower consumers to do so.

Often, and seemingly more frequently of late, I've felt like a helpless hostage when I interact with businesses with which I want to transact or engage. For example, my bank decided it was "to my convenience" when they went ahead to record my voice and activate voice biometrics as an identity verification, without first seeking my approval. And while its terms and conditions declaration outlines various points such as the bank's limited liability and full indemnification governing electronic services, as well as the customer's "automatic" enrolment in voice biometrics, it fails to explain how customer data such as voiceprints are secured.

Media registration for some conferences these days also requires mandatory consent to data sharing with third-parties and additional personal details that isn't obviously clear are necessary for one to attend a keynote speech.

Data is king, I get that, and I'm not entirely opposed to businesses collecting data from customers so they can provide more tailored user experience or in exchange for free services and incentives. But, at the same time, consumers also have the right to know how these businesses are storing and securing that data and frontline service staff should be armed with the knowledge to explain such details, instead of responding with a blank shrug.

Above all, there should always be an option to opt out, even if that means the customer's access to certain services then may be limited.

Singapore industry needs stronger codes of conduct as consumer data gains value

As businesses capture more information about customers, consumers need to be more informed about such practices and industry guidelines and codes of conduct must evolve to ensure responsible data use.

Read More

If businesses increasingly are pushing the limits of how far they can go with how and what data they're taking from consumers, perhaps regulations and laws governing such access need to be reviewed.

The lack of empowerment as a consumer also is the primary reason why I shudder whenever my government decides to open up even more access to data or ease data-sharing. The intent here is good and main objective to better service citizens, but when organisations--including healthcare providers--clearly still are struggling to cope with security threats, perhaps the government needs to take a step back and more closely evaluate what else needs to be done to better protect its citizens.

Maybe businesses should be made to pass a security checklist--to ensure they have robust systems and practises in place--before they're given access to data. Maybe they should be regularly audited to ensure they remain in compliance and compelled to provide opt-out options in exchange for limited access to services.

Moreover, and this is a pet peeve of mine, there is no clear recourse for consumers when a data breach or violation involves a government entity, since the public sector isn't included under Singapore's Personal Data Protection Act (PDPA).

Interestingly, SingHealth has published its data protection policy, which notes that the healthcare group's institutions are subject to the PDPA, as well as "specific legislation or regulations concerning relevant aspects of healthcare". However, under the act's Fourth Schedule, Section 2, it is stated that organisations may disclose personal data about an individual without prior consent when it involves patients of licensed healthcare institutions or prescribed healthcare bodies disclosed to a public agency "for the purpose of policy formulation or review". SingHealth is a "prescribed healthcare body" under the act.

SingHealth also notes that "where there are inconsistencies between the PDPA and existing sectoral laws and regulations in respect of the collection, use or disclosure of personal data, the provisions of the other written laws shall prevail". In its data policy, the healthcare group adds that it is not liable for damages resulting from security breaches involving unauthorised use of patients' username and password.

It further notes: "Each SingHealth institution will take reasonable efforts to protect personal data in our possession or our control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. However, we cannot completely guarantee the security of any personal data we may have collected from or about you--for example, that no harmful code will enter our website [via] viruses, bugs, trojan horses, spyware or adware."

This latest breach, involving yet another government agency, again underscores the need for the public sector to be considered under the same data protection laws as private businesses or--at the very least--the need for more clarity on the government's own data rules and policies.

The Singapore government, though, is right in emphasising that the country cannot move backwards and let the fear of cyberattacks derail its smart nation ambition. As Prime Minister Lee Hsien Loong says: "Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected... We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation."

Singapore needs to adapt and evolve so it can operate not only efficiently, but also securely in the digital age. But no system is infallible and cybersecurity breaches are inevitable, so it needs to learn from each one and get better at mitigating future risks.

Back to the drawing board then.